Agentic Identity Architecture for Zero Trust AI

Architecture Deep Dive SPIFFE / SPIRE Zero Trust mTLS NHI Governance Policy-as-Code

Agentic Identity
Architecture for
Zero Trust AI

AI agents are the largest unseen workforce inside your critical systems — and your identity controls were never designed for them. This is the complete architecture for securing AI agent identity through SPIFFE/SPIRE, mTLS, policy-as-code, and lifecycle governance across the full agentic stack.

April 2026 · Security Architecture · 22 min read

Identity Flow — Request Lifecycle

spiffe://workload.identity/agent/frame/ns/ai-ops/sa/frame-coordinator

01→SVID Request — Agent contacts SPIRE Agent via Workload API (Unix Domain Socket). No passwords. Kernel-level attestation via SO_PEERCRED.

02→Attestation — SPIRE Server verifies binary hash, K8s service account, namespace selectors. Issues short-lived X.509-SVID (1hr TTL).

03→mTLS Connection — Agent presents SVID certificate. Downstream service validates against trust bundle. Mutual auth. Encrypted transport (TLS 1.3).

04→PEP Decision — Policy Enforcement Point validates SPIFFE ID against OPA/Rego rules. Least-privilege action authorised.

05→Audit Trail — Every action logged: Who (SPIFFE ID) · What (authorised action) · When (real-time attestation timestamp).

100:1

non-human to human identity ratios in large enterprises — NHIs are now the primary security perimeter in cloud environments

70%

of leaked secrets remain active 2 years after exposure — GitHub State of Secrets Sprawl 2025. AI agents amplify this risk at machine speed

80%

of IT pros report AI agents have acted unexpectedly or performed unauthorised actions — Sailpoint. Agents need identity governance, not API keys

33%

of enterprise software applications will include agentic AI by 2028 — Gartner. The identity problem compounds with every agent deployed

The Identity Problem

Your AI Agents Have No Identity. That Is a Security Emergency.

// THE FIRST RULE OF 2026 SECURITY: An agent should never possess a credential at rest.
// Instead of giving an agent a key, you give it a verifiable identity.
// Stop creating IAM users for bots. Stop hardcoding API keys. Stop trusting long-lived secrets.
// The “insider threat” is no longer a human. It’s the agent.py file you committed three years ago.

In October 2024, the Internet Archive suffered a catastrophic breach — not from a zero-day exploit, but from a GitLab authentication token hardcoded in a configuration file in December 2022. For nearly two years, that non-human identity sat dormant, unrotated, and fully privileged. When attackers found it, they had the keys to the kingdom. This is the threat model for agentic AI: static credentials issued once, forgotten, and eventually exploited — now at machine speed.

Non-human identities (NHIs) now outnumber human identities in enterprise environments by ratios of 40:1 to 144:1. Every AI agent you deploy adds to this population. Unlike service accounts, agents dynamically select actions from available capabilities and are far more likely than humans to execute dangerous operations when given the opportunity. The result, observed across enterprise deployments in 2025–2026, is agents accumulating standing access to sensitive systems with no tie back to a human identity, no audit trail, and no lifecycle management.

The architecture that solves this is not new — it is the zero trust model applied to microservices and cloud-native workloads, now extended to AI agents as first-class identity principals. SPIFFE is the standard. SPIRE is the implementation. mTLS is the transport. Policy-as-Code is the authorisation layer. Together, they constitute an Agentic Identity Architecture that answers three critical questions for every agent action: Who (SPIFFE ID), What (Zero Trust Policies), and When (Real-Time Attestation).

System Architecture

The Complete Agentic Identity Stack

The architecture operates across four functional layers — each addressing a distinct aspect of the agentic identity problem, from cryptographic identity issuance through runtime policy enforcement to telemetry and audit.

Layer 1 — Governance Control Plane

Human Operators · Policy Authority · Agent Lifecycle Management

Human Operators Policy-as-Code Engine (OPA/Rego) Agent Registry (FRAME · RAVI · HUMBLE · IDEA) Lifecycle Controller Governance Dashboard

Layer 2 — SPIFFE Identity Plane

Attestation · SVID Issuance · Trust Bundle Distribution

SPIRE Server SPIRE Agent (per-node) X.509-SVID Issuance JWT-SVID Issuance Trust Bundle Distribution Workload Attestation Node Attestation SPIFFE Federation (multi-cluster)

Layer 3 — Zero Trust Runtime

mTLS Transport · Policy Enforcement · Tool Access Control

mTLS Connection (TLS 1.3) Mutual Authentication Policy Enforcement Point (PEP) Service Mesh (Istio Ambient / Envoy) Tool Access Gateway (API / MCP) Token Exchange (OAuth 2.0) Just-in-Time Access

Layer 4 — Audit & Intelligence

Telemetry · Risk Analytics · Compliance Trails

Telemetry & Logs Risk Analytics Dashboard Audit Trails & Reports Agent Observability Anomaly Detection Circuit Breakers

Layer Architecture

Each Layer: How It Works and Why It Matters

Layer 01

Identity Foundation

SPIFFE Specification & SPIRE Server

The bottom turtle. Cryptographic identity for every agent workload — without passwords, API keys, or human intervention.

CNCF Graduated

X.509-SVID · JWT-SVID

spiffe.io standard

SPIFFE solves the “Secret Zero” problem: how do you securely deliver the first credential to a workload without another, deeper secret underneath it? SPIFFE’s answer is attestation — verifying that a workload is genuinely what it claims to be, based on platform-level evidence that cannot be forged. There are no passwords in this model. The identity is the compute environment itself.

Each AI agent receives a SPIFFE ID — a URI structured as spiffe://trust-domain/agent/type — cryptographically verifiable and tied to runtime workload attributes. The SPIRE Server is the signing authority: it maintains a workload registry, runs attestation plugins, and issues short-lived SVIDs in X.509 or JWT format. SPIRE Agents run on each node, caching SVIDs locally and performing kernel-level workload attestation without network calls.

Security properties are explicitly designed for agentic workloads: identities are ephemeral (typically 1–4 hour TTL), automatic (no human touches a credential), and tied to observable runtime state (binary hash, container image, K8s namespace, service account). When the agent dies, the identity dies. If an agent is compromised, the SVID auto-expires before the attacker can reuse it at scale.

SPIFFE ID — agentic workload registration

# SPIFFE URI for an AI agent workload
spiffe://workload.identity/ns/ai-ops/sa/frame-coordinator

# Embedded in X.509 SAN field — any TLS library can read it
X509v3 Subject Alternative Name:
  URI:spiffe://workload.identity/ns/ai-ops/sa/frame-coordinator

# SPIRE entry — node + workload attestation selectors
spire-server entry create
  -parentID spiffe://workload.identity/node/k8s-node-01
  -spiffeID spiffe://workload.identity/ns/ai-ops/sa/frame
  -selector k8s:ns:ai-ops
  -selector k8s:sa:frame-coordinator
  -ttl 3600  # 1-hour SVID — no secret ever at rest

Technical Components

SPIRE Server

Signing authority for the trust domain. Maintains workload registry, runs attestation plugins, issues SVIDs on verified CSRs. The root of the identity chain.

SPIRE Agent

Per-node daemon. Attests workloads via kernel metadata (SO_PEERCRED), caches SVIDs, serves the Workload API over Unix Domain Socket. Local attestation — no network calls required.

X.509-SVID

Short-lived certificate with SPIFFE ID in SAN field. Used for workload-to-workload mTLS. Auto-rotated before expiry. Injected into workload memory — never written to disk.

JWT-SVID

Short-lived JWT with SPIFFE ID claim. Used for cross-service HTTP authentication and token exchange flows — e.g., agent-to-cloud-API via STS federation without static IAM credentials.

SPIFFE Federation

Cross-cluster trust bundle exchange. Multi-cloud, multi-cluster agent deployments validate each other’s identities without sharing a root CA — best practice for 2026 production deployments.

Layer 02

Zero Trust Runtime Layer

mTLS, Mutual Authentication & Policy Enforcement

Never trust. Always verify. At every hop, for every agent action, in both directions — regardless of network location.

NIST 800-207

TLS 1.3 · mTLS · OPA

Zero Trust · Least Privilege

Zero Trust (NIST 800-207) operates on one principle: never trust, always verify — regardless of network location. For AI agents, this means every agent-to-agent and agent-to-tool interaction must be mutually authenticated, encrypted, and authorised against explicit policy before any action executes.

mTLS (Mutual TLS) is the transport mechanism. Unlike standard TLS where only the server presents a certificate, mTLS requires both parties to present and validate each other’s SVIDs. The SPIFFE ID extracted from each certificate tells the Policy Enforcement Point exactly which agent is making the request — enabling fine-grained policy decisions based on workload identity, not network position.

Red Hat’s zero trust agentic AI research identifies the transaction boundary problem as critical: in a multi-hop chain (Client A → Agent B → Tool C), authentication happens between A and B, and separately between B and C. But A’s real transaction depends on B+C acting together. Token exchange — where B swaps A’s token for a scoped, short-lived token for C — makes trust across hops explicit, constrained, and auditable. No blanket tokens that work everywhere.

Technical Components

mTLS (TLS 1.3)

Bidirectional certificate validation using SPIFFE SVIDs. Both calling agent and receiving service verify each other’s identity before any data is exchanged. Encrypted transport is automatic.

Policy Enforcement Point (PEP)

Intercepts every agent request. Extracts SPIFFE ID from client certificate. Queries OPA Policy Decision Point. Enforces allow/deny before the downstream action executes.

Policy-as-Code (OPA/Rego)

Machine-readable, version-controlled policy definitions. Every agent permission is codified, auditable, and testable. OPA evaluates SPIFFE ID claims at sub-millisecond latency without blocking operations.

Token Exchange (OAuth 2.0 RFC 8693)

Scoped, short-lived tokens for multi-hop agent chains. Each downstream call receives a token scoped only to that interaction — no token grants blanket access across the stack.

Tool Access Gateway (API / MCP)

Centralised gateway enforcing identity verification and policy on all agent-to-tool access including MCP server connections. Security enforcement is agent- and intent-aware, not dependent on agent cooperation.

Layer 03

Governance Control Plane

Human Operators, Policy Engine & Agent Lifecycle

The control plane where human operators define, enforce, and evolve the identity and permission model for the entire agent fleet.

HUMAN OVERSIGHT

Policy-as-Code · Registry

CSA ATF · OWASP Top 10

The governance control plane is where human operators exercise authority over the agent fleet. Agents must be registered, assigned identities, granted permissions, promoted through autonomy levels, and decommissioned — all through a governed process with explicit human approval at defined thresholds.

The Cloud Security Alliance’s Agentic Trust Framework (ATF, February 2026) provides the operational model: agents progress from “Intern” (read-only) through “Junior” (human-approved actions) to “Senior” (autonomous within policy scope) based on demonstrated accuracy, security audits, and explicit stakeholder sign-off. Each stage maps to a registered SPIRE entry and a corresponding OPA policy bundle.

Policy-as-Code makes governance scalable: rather than manually configuring permissions on each service, teams write Rego policies expressing the permission model as version-controlled, testable code. Every agent permission is a policy assertion — reviewed, merged, and deployed through CI/CD with the full auditability of source control. Kill switch: immediate SPIRE SVID revocation halts any agent fleet-wide in seconds.

Agent Lifecycle (CSA ATF)

Intern Agent

Read-only. Access data, perform analysis, generate insights. No external system modifications. Minimum 2 weeks before promotion eligibility review.

Junior Agent

Can recommend specific actions with supporting reasoning. Requires explicit human approval before execution. Actions logged and attributed to approving human identity.

Senior Agent

Autonomous within policy-defined scope. Executes without per-request approval but within SPIFFE-enforced permission boundaries. Anomalies trigger human escalation circuits.

Promotion Gate

5-gate check: demonstrated accuracy + security audit + measurable impact + clean operational history + explicit stakeholder approval. No fast-tracking. All gates required.

Kill Switch

Immediate SVID revocation at SPIRE level. Policy deny-all applied instantly. No agent continues operating once its identity is revoked — regardless of in-flight tokens.

Layer 04

Audit & Intelligence Layer

Telemetry, Risk Analytics & Audit Trails

Every agent action generates a cryptographically attributable audit event. You cannot govern what you cannot see.

OBSERVABILITY

OpenTelemetry · OCSF

EU AI Act Compliance

The audit layer produces compliance evidence at runtime. Every agent action — from SVID request through policy evaluation to downstream tool access — is logged with full SPIFFE identity context: which agent, which action, which policy authorised it, which human identity was in the delegation chain, and the exact timestamp. This is not optional telemetry. It is how EU AI Act Article 12–13 traceability requirements, NIST 800-207 continuous verification obligations, and enterprise governance policies are operationally satisfied.

CVE-2025-32711 (EchoLeak) exposed Microsoft 365 Copilot to zero-click data exfiltration through pure text embedded in ordinary business documents. The payload required no code execution — Copilot processed malicious prompt injections when users opened seemingly innocent files. The audit layer exists to detect precisely this class of attack: anomalous agent behaviour that deviates from baseline, unexpected data access patterns, and tool call sequences that indicate prompt injection or agent hijacking before damage propagates.

Risk analytics dashboards aggregate SPIFFE-attributed telemetry to produce actionable signals. Circuit breakers automatically halt operations when thresholds are crossed. Compliance export pipelines produce audit reports that satisfy regulatory requirements without manual assembly.

Audit Components

Telemetry & Structured Logs

Every SPIRE SVID issuance, policy evaluation, tool call, and agent action emitted as a structured event with full SPIFFE ID context. OpenTelemetry as the collection standard for vendor-neutral aggregation.

Risk Analytics Dashboard

Real-time visualisation of agent behaviour against policy baselines. Anomaly detection flags deviations — unusual data access, unexpected tool invocations, cross-domain calls — for human review before damage propagates.

Audit Trails & Reports

Immutable, cryptographically signed logs attributing every agent action to a SPIFFE ID. EU AI Act traceability requirements satisfied by design, not retrofit. Export to SIEM and compliance platforms.

Circuit Breakers

Automated controls that halt agent operations when risk thresholds are crossed: cost overruns, unusual data volumes, repeated policy violations, identity anomalies. Human review required to resume.

Agent Identity Registry

Named Agents, Assigned Identities

In a governed agentic architecture, every agent has a registered identity, a defined scope, and a traceable owner. These four example agents illustrate the SPIFFE naming convention and the permission model in practice.

🧠

FRAME

spiffe://workload.identity/ns/ai-ops/sa/frame-orchestrator

Framework orchestration agent. Coordinates multi-agent workflows. Senior-level autonomy within defined pipelines. Human escalation on ambiguity. mTLS to all downstream agents via service mesh.

🔍

RAVI

spiffe://workload.identity/ns/research/sa/ravi-retriever

Research and retrieval agent. Read-only access to knowledge sources. No write permissions. JWT-SVID for external API authentication. Token exchange for RAG pipeline access.

🛡️

HUMBLE

spiffe://workload.identity/ns/compliance/sa/humble-auditor

Compliance and audit agent. Read-only across all namespaces. Generates audit trails. Policy evaluation only — cannot take operational actions. Cryptographic attestation of every report produced.

💡

IDEA

spiffe://workload.identity/ns/generation/sa/idea-creator

Content generation agent. Write access scoped to designated output storage only. Human approval required for external publication. Token delegation from FRAME. Full action lineage to requestor.

“An agent should never possess a credential at rest. SPIFFE is becoming the TCP/IP of agent identity — it assigns a cryptographically verifiable ID to every container. When the agent dies, the identity dies. If you are communicating over plain HTTP with API keys, you are building a legacy system.”

Optimum Partners — AI Security Architecture: Implementing WIF and SPIFFE, January 2026

Threat Reference

Attack Vectors and Architectural Controls

Each threat reflects a documented incident or vulnerability class from 2025–2026 agentic AI deployments. Each control maps to a specific architecture layer.

Threat	Attack Vector	Architectural Control	Layer
Static credential theft	Hardcoded API key in config — valid for years after exposure	SPIFFE SVID replaces keys. Short-lived X.509, auto-rotated. No credential at rest.	Layer 1
Prompt injection via document	Malicious instruction in file processed by agent (EchoLeak CVE-2025-32711)	PEP validates every action against policy regardless of instruction source. Risk analytics detects anomalous patterns.	Layer 2+4
Lateral movement via agent hop	Token trusted across hops without re-validation (transaction boundary problem)	OAuth 2.0 token exchange. Each hop receives a scoped, short-lived token. No hop inherits the full permissions of the previous.	Layer 2
Agent identity spoofing	Malicious process claims to be a trusted agent workload	SPIRE kernel-level attestation (SO_PEERCRED). Binary hash verification. Identity tied to runtime state — not self-reported.	Layer 1
Overprivileged agent accumulation	Agents accumulate standing access with no lifecycle management	SVID expiry forces periodic re-attestation. JIT access: zero permissions in sleep state. Policy-as-code enforces least privilege.	Layer 3
Zombie credential exploitation	Abandoned agent token reactivated after decommissioning	SPIRE SVID revocation is immediate. Governance control plane enforces decommission flow with full audit trail.	Layer 3
AI-orchestrated attack chain	Jailbroken agent executes 80–90% of attack chain autonomously (2025 documented incident)	Per-action PEP enforcement. Circuit breakers halt anomalous activity. Kill switch revokes SVID fleet-wide within seconds.	Layer 2+4

The Engineering Mandate

Identity Is the New Perimeter. Build It First.

The source IP stopped being a reliable security boundary when enterprises moved to containers. The network perimeter stopped being meaningful when agents began making cross-domain, cross-cloud, real-time API calls at machine speed. In 2026, identity is the perimeter — and for AI agents, that means cryptographic workload identity, not service account passwords or hardcoded API keys.

The threats are concrete. CVE-2025-32711 EchoLeak demonstrated zero-click data exfiltration from enterprise AI through ordinary business documents. The Internet Archive breach proved a 2-year-old hardcoded token remains a live vulnerability until explicitly revoked. The first documented AI-orchestrated cyber-espionage campaign demonstrated that over-privileged agent credentials enable full kill chains — reconnaissance, exploitation, credential theft, and exfiltration — with minimal human direction.

The architecture documented here — SPIFFE IDs for every agent workload, SPIRE for attestation and issuance, mTLS for transport, Policy Enforcement Points for authorisation, token exchange for multi-hop safety, and comprehensive audit telemetry — is not aspirational. It is the operational implementation that teams at Netflix, Uber, Google, Red Hat, and Cisco have converged on for production AI systems in 2026. All components are CNCF-graduated or standard protocol. The hard part is organisational discipline: implementing it consistently across every agent from the first deployed to the hundredth.

// WHO: SPIFFE ID — spiffe://workload.identity/ns/ai-ops/sa/agent-name
// WHAT: Zero Trust Policy — policy-as-code, version-controlled, least-privilege enforced
// WHEN: Real-Time Attestation — short-lived SVID, kernel-verified, auto-rotated hourly
// HOW: mTLS + PEP + token exchange + audit log — every hop, every action, every agent
// NEVER: static API keys · long-lived tokens · unattempted credentials at rest

Sources: HashiCorp — SPIFFE: Securing the Identity of Agentic AI and Non-Human Actors · Red Hat — What Are SPIFFE and SPIRE (October 2025) · Red Hat Emerging Technologies — Zero Trust for Autonomous Agentic AI Systems (February 2026) · Red Hat Emerging Technologies — Zero Trust AI Agents on Kubernetes: Kagenti (March 2026) · Petronella Cybersecurity — Machine Identity: mTLS + SPIFFE Zero Trust Guide 2026 · Optimum Partners — AI Security Architecture: WIF and SPIFFE (January 2026) · Cloud Security Alliance — Agentic Trust Framework (February 2026) · Strata.io — What Is Agentic AI Security: 8 Strategies · HashiCorp — Zero Trust for Agentic Systems: Managing NHIs at Scale (AWS re:Invent 2025) · Cisco — Zero Trust for AI Agents: New Digital Workforce (April 2026) · World Economic Forum — Non-Human Identities: Agentic AI’s New Frontier of Cybersecurity Risk · Cyber Strategy Institute — 2026 NHI Reality Report · GitGuardian — What AI Agents Can Teach Us About NHI Governance · SPIFFE.io / CNCF · NIST SP 800-207 — Zero Trust Architecture · DEV Community — SPIFFE/SPIRE Deep Dive (February 2026) · arxiv.org — Workload Identity for Zero Trust CI/CD (April 2025)

Agentic IdentityArchitecture forZero Trust AI